The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Ottawa, October 6, 2005 – The Privacy Act is an outdated and often inadequate public sector data protection law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, in her 2004-2005 Annual Report on the Privacy Act, which was tabled today by Parliament. The Privacy Commissioner's 2004 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy law, was also tabled today.

In her 2004-2005 Annual Report on the Privacy Act, the Commissioner highlights some of the most significant issues her Office has faced in the past year. These include security and the voracious appetite for personal information and surveillance that has sprung up in the post-9/11 environment, and the sharing of information and outsourcing of data operations across borders. She also emphasizes the long overdue need to modernize the Privacy Act, a first generation privacy law which has not been substantially amended since its inception in 1983.

"The privacy landscape is infinitely more complex today than it was a decade ago," states Ms. Stoddart. "Faced with increased globalization and extensive outsourcing of personal information processing and storage, Canada's Privacy Act lags woefully behind."

In her report, the Commissioner elaborates on the situation and explains some of the important things for the government to consider in updating the Privacy Act, for example:

There are gaps in the Privacy Act's coverage. Many institutions, including the Office of the Privacy Commissioner of Canada, are not subject to privacy law.

Under the Privacy Act, only those present in Canada have the right to seek access to their personal information. This means airline passengers, as well as immigration applicants, foreign student applicants, and countless other foreigners with information in Canadian government files, have no legal right to examine or correct erroneous information, to know how their information is used or disclosed, or to complain to the Commissioner.

Although government use of data matching arguably poses the greatest threat to individuals' privacy, the Privacy Act is silent on the practice. Government institutions should be obligated to link personal records in discrete systems only when demonstrably necessary, and under the continued vigilant oversight of the Commissioner.

Complainants may only seek a Court review of, and remedies for, denials of access to their personal information. This means that allegations of improper collection, use and disclosure may not be challenged before the Court, and the subsequent benefit of the Court's guidance on all government institutions is lost. Nor does the Privacy Act contemplate remedies for any damages caused by government actions.

The weaknesses of the Privacy Act are even more striking when the law is measured against PIPEDA. In fact, several of the Commissioner's concerns could be remedied by adopting provisions similar to those in PIPEDA.

In addition to pointing out the flaws of the Privacy Act, the Commissioner also calls for a more comprehensive and consistent approach to managing privacy in the federal government. She recommends seeking improvements to the current system through the development of a privacy management framework. A privacy management framework should be designed to help departments protect the personal information they control by identifying the inherent privacy risks, and how best to mitigate those risks.

This year, for the first time, the Commissioner has published two separate annual reports, dividing the Privacy Act from PIPEDA. The Privacy Act requires the Office to report on the fiscal year (2004-2005), while under PIPEDA, it must report on the calendar year (2004). As well, each Act provides a separate framework for investigations and audits. There is much overlapping between the reports because many of the Office's activities are not particular to one law or another and, increasingly, the policy issues are common across the two regimes.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.